← Back to Security Blog
Security Briefing 7 min read

Honeywell CCTV Auth Bypass + Figure 1M Account Breach

CISA warns of critical Honeywell CCTV vulnerability (CVSS 9.8) allowing unauthorized access. Figure fintech breach exposes nearly 1 million accounts via social engineering. Four VS Code extensions with 125M+ downloads contain critical flaws. Microsoft Copilot bug bypasses DLP policies since January.


Critical: Honeywell CCTV Authentication Bypass

CISA Advisory: CVE-2026-1670 — CVSS 9.8

CISA is warning of a critical vulnerability in multiple Honeywell CCTV products used in critical infrastructure. Attackers can hijack accounts and access camera feeds without authentication.

Discovered by researcher Souvik Kanda, CVE-2026-1670 is classified as "missing authentication for critical function." The flaw allows an unauthenticated attacker to change the recovery email address associated with a device account, enabling complete account takeover.

Affected Models

Model Firmware Version
I-HIB2PI-UL 2MP IP 6.1.22.1216
SMB NDAA MVO-3 WDR_2MP_32M_PTZ_v2.0
PTZ WDR 2MP 32M WDR_2MP_32M_PTZ_v2.0
25M IPC WDR_2MP_32M_PTZ_v2.0

These NDAA-compliant cameras are deployed in U.S. government agencies, federal contractors, and critical facilities. CISA recommends:


Figure Fintech: 967K Accounts Breached

ShinyHunters Claims Responsibility for Social Engineering Attack

Blockchain-native fintech company Figure Technology Solutions suffered a breach affecting nearly 1 million accounts. The attack was executed via social engineering.

Figure, which has unlocked over $22 billion in home equity with 250+ partners including banks, credit unions, and fintechs, confirmed the incident to TechCrunch. The attackers used voice phishing (vishing) to trick an employee into providing access.

Exposed Data

The ShinyHunters extortion group leaked 2.5GB of data from thousands of loan applicants on their dark web site. This is part of a larger campaign targeting SSO accounts at Okta, Microsoft, and Google across 100+ high-profile organizations.

🎯 Attack Pattern

Attackers impersonate IT support, call employees, and trick them into entering credentials and MFA codes on phishing sites that impersonate company login portals. Once in, they gain access to connected enterprise applications including Salesforce, Microsoft 365, Google Workspace, Slack, and Dropbox.


VS Code Extensions: 125M+ Downloads Affected

Critical Flaws Enable File Exfiltration and Remote Code Execution

OX Security researchers discovered multiple vulnerabilities in four popular VS Code extensions. Three CVEs remain unpatched.

"A hacker needs only one malicious extension, or a single vulnerability within one extension, to perform lateral movement and compromise entire organizations," the researchers warned.

CVE Extension CVSS Impact
CVE-2025-65717 Live Server 9.1 Local file exfiltration via malicious website
CVE-2025-65716 Markdown Preview Enhanced 8.8 Arbitrary JavaScript execution via .md file
CVE-2025-65715 Code Runner 7.8 Arbitrary code execution via settings.json
Microsoft Live Preview Sensitive file exfiltration (fixed in v0.4.16)

Immediate Actions


Microsoft Copilot Bypasses DLP Policies

Bug Active Since January 21 — Summarizing Confidential Emails

A Microsoft 365 Copilot bug has been causing the AI assistant to summarize confidential emails, bypassing data loss prevention (DLP) policies that protect sensitive information.

Tracked as CW1226324, this bug affects the Copilot "work tab" chat feature. It incorrectly reads and summarizes emails in Sent Items and Drafts folders — including messages with confidentiality labels explicitly designed to restrict access by automated tools.

Timeline

Microsoft stated: "This did not provide anyone access to information they weren't already authorized to see... A configuration update has been deployed worldwide for enterprise customers."

Enterprise Recommendation

Review Copilot activity logs for the period since January 21. Verify that sensitivity-labeled content wasn't inadvertently included in Copilot summaries shared beyond intended recipients.


Other Headlines

Texas Sues TP-Link Over Chinese Hacking Risks

Texas sued TP-Link Systems, accusing the company of deceptively marketing routers as secure while allowing Chinese state-backed hackers to exploit firmware vulnerabilities.

INTERPOL Operation Red Card 2.0

651 arrests across 16 African countries. Recovered over $4.3 million. Operation targeted investment fraud, mobile money scams, and fraudulent loan apps linked to $45 million in losses.

PromptSpy: First Malware to Abuse Gemini AI

ESET discovered Android malware that uses Google's Gemini AI to maintain persistence. The malware leverages generative AI to analyze screens and generate step-by-step instructions to keep itself pinned in recent apps.

Nigerian Hacker Gets 8 Years for Tax Fraud

Sentenced for hacking multiple tax preparation firms in Massachusetts and filing fraudulent returns seeking over $8.1 million in refunds.


Today's Numbers

Metric Value
Figure breach accounts affected 967,200
Honeywell CVE severity (CVSS) 9.8
VS Code extension downloads at risk 125M+
Copilot DLP bypass duration ~30 days
INTERPOL arrests (Op Red Card 2.0) 651
Organizations targeted by ShinyHunters 100+

Today's Priorities

  1. ISOLATE: Honeywell CCTV systems — apply network segmentation immediately
  2. AUDIT: VS Code extensions — disable Live Server, Markdown Preview Enhanced, Code Runner until patched
  3. TRAIN: Security awareness on vishing attacks (ShinyHunters playbook)
  4. VERIFY: Microsoft Copilot DLP compliance — review activity since Jan 21
  5. REVIEW: SSO security controls — MFA bypass resistance

Protect Your Organization with KENSAI

AI-powered vulnerability management with 333,000+ CVEs indexed.

Start Free Scan

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →